----- Messaggio originale -----> Da: "Rowland Penny" <rpenny at samba.org> > A: samba at lists.samba.org > Cc: "Daniele Bernazzi" <daniele at ao-siena.toscana.it> > Inviato: Mercoledì, 24 maggio 2017 13:12:07 > Oggetto: Re: [Samba] samba 4 in AD 2008R2 without winbind > > On Wed, 24 May 2017 12:54:48 +0200 (CEST) > Daniele Bernazzi <daniele at ao-siena.toscana.it> wrote: > > > > > So far for standalone server, Rowland, but is not possible to > > authenticate (just autenticate) on active directory? This > > configuration is now working on another server with samba 3 ... > > access is allowed to users declared in /etc/passwd (these users do > > not have a unix password) and the client use transparently the > > password they supplied at login time. I am not able to reply this > > configuration in samba 4 > > > > I cannot see how this will work, to authenticate to AD your computer > would have to be joined to the domain, at which point your user would > have to only be in AD. I am not saying it will not work, I just don't > understand how it can. > > Can you post the smb.conf from the Samba 3 machine ? > > Rowland > > >Samba servers (ver 3 or 4) and clients are all joined to domain. Here's the global of smb.conf version 3: [global] workgroup = CED realm = CED.AOS server string = file sharing server security = ADS allow trusted domains = No map to guest = Bad User obey pam restrictions = Yes pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes log level = 1 syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 load printers = No printcap name = /dev/null domain master = No dns proxy = No panic action = /usr/share/samba/panic-action %d idmap config * : range = idmap config * : backend = tdb printing = bsd print command = lpr -r -P'%p' %s lpq command = lpq -P'%p' lprm command = lprm -P'%p' %j
On Wed, 24 May 2017 14:02:49 +0200 (CEST) Daniele Bernazzi <daniele at ao-siena.toscana.it> wrote:> > > ----- Messaggio originale ----- > > Da: "Rowland Penny" <rpenny at samba.org> > > A: samba at lists.samba.org > > Cc: "Daniele Bernazzi" <daniele at ao-siena.toscana.it> > > Inviato: Mercoledì, 24 maggio 2017 13:12:07 > > Oggetto: Re: [Samba] samba 4 in AD 2008R2 without winbind > > > > On Wed, 24 May 2017 12:54:48 +0200 (CEST) > > Daniele Bernazzi <daniele at ao-siena.toscana.it> wrote: > > > > > > > > So far for standalone server, Rowland, but is not possible to > > > authenticate (just autenticate) on active directory? This > > > configuration is now working on another server with samba 3 ... > > > access is allowed to users declared in /etc/passwd (these users do > > > not have a unix password) and the client use transparently the > > > password they supplied at login time. I am not able to reply this > > > configuration in samba 4 > > > > > > > I cannot see how this will work, to authenticate to AD your computer > > would have to be joined to the domain, at which point your user > > would have to only be in AD. I am not saying it will not work, I > > just don't understand how it can. > > > > Can you post the smb.conf from the Samba 3 machine ? > > > > Rowland > > > > > > > > Samba servers (ver 3 or 4) and clients are all joined to domain. > > Here's the global of smb.conf version 3: > > [global] > workgroup = CED > realm = CED.AOS > server string = file sharing server > security = ADS > allow trusted domains = No > map to guest = Bad User > obey pam restrictions = Yes > pam password change = Yes > passwd program = /usr/bin/passwd %u > passwd chat = *Enter\snew\s*\spassword:* %n\n > *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . > unix password sync = Yes log level = 1 > syslog = 0 > log file = /var/log/samba/log.%m > max log size = 1000 > load printers = No > printcap name = /dev/null > domain master = No > dns proxy = No > panic action = /usr/share/samba/panic-action %d > idmap config * : range = > idmap config * : backend = tdb > printing = bsd > print command = lpr -r -P'%p' %s > lpq command = lpq -P'%p' > lprm command = lprm -P'%p' %jAre you sure your windows users are connecting as local Unix users ? You have this: map to guest = Bad User This means that anybody who connects that Samba doesn't know silently gets mapped to guest and is allowed access. Rowland
----- Messaggio originale -----> Da: "Rowland Penny via samba" <samba at lists.samba.org> > A: samba at lists.samba.org > Inviato: Mercoledì, 24 maggio 2017 14:14:53 > Oggetto: Re: [Samba] samba 4 in AD 2008R2 without winbind > > On Wed, 24 May 2017 14:02:49 +0200 (CEST) > Daniele Bernazzi <daniele at ao-siena.toscana.it> wrote: > > > > > > > ----- Messaggio originale ----- > > > Da: "Rowland Penny" <rpenny at samba.org> > > > A: samba at lists.samba.org > > > Cc: "Daniele Bernazzi" <daniele at ao-siena.toscana.it> > > > Inviato: Mercoledì, 24 maggio 2017 13:12:07 > > > Oggetto: Re: [Samba] samba 4 in AD 2008R2 without winbind > > > > > > On Wed, 24 May 2017 12:54:48 +0200 (CEST) > > > Daniele Bernazzi <daniele at ao-siena.toscana.it> wrote: > > > > > > > > > > > So far for standalone server, Rowland, but is not possible to > > > > authenticate (just autenticate) on active directory? This > > > > configuration is now working on another server with samba 3 ... > > > > access is allowed to users declared in /etc/passwd (these users do > > > > not have a unix password) and the client use transparently the > > > > password they supplied at login time. I am not able to reply this > > > > configuration in samba 4 > > > > > > > > > > I cannot see how this will work, to authenticate to AD your computer > > > would have to be joined to the domain, at which point your user > > > would have to only be in AD. I am not saying it will not work, I > > > just don't understand how it can. > > > > > > Can you post the smb.conf from the Samba 3 machine ? > > > > > > Rowland > > > > > > > > > > > > > Samba servers (ver 3 or 4) and clients are all joined to domain. > > > > Here's the global of smb.conf version 3: > > > > [global] > > workgroup = CED > > realm = CED.AOS > > server string = file sharing server > > security = ADS > > allow trusted domains = No > > map to guest = Bad User > > obey pam restrictions = Yes > > pam password change = Yes > > passwd program = /usr/bin/passwd %u > > passwd chat = *Enter\snew\s*\spassword:* %n\n > > *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . > > unix password sync = Yes log level = 1 > > syslog = 0 > > log file = /var/log/samba/log.%m > > max log size = 1000 > > load printers = No > > printcap name = /dev/null > > domain master = No > > dns proxy = No > > panic action = /usr/share/samba/panic-action %d > > idmap config * : range > > idmap config * : backend = tdb > > printing = bsd > > print command = lpr -r -P'%p' %s > > lpq command = lpq -P'%p' > > lprm command = lprm -P'%p' %j > > Are you sure your windows users are connecting as local Unix users ? > You have this: map to guest = Bad User > > This means that anybody who connects that Samba doesn't know silently > gets mapped to guest and is allowed access. > > Rowland >in this system (samba 3) there are about 3.000 users with 150 shares (apart home shares), so I am sure this is not happening. The manual about map to guest is saying: "This parameter can take four different values, which tell smbd(8) what to do with user login requests that don't match a valid UNIX user in some way.". Daniele